The classic trap
Article 3 mostly traps international groups and SaaS vendors who assume the GDPR does not apply because their headquarters sit in Singapore, New York or post-Brexit London. The CNPD and CNIL apply an extensive reading of the targeting criterion derived from EDPB Guidelines 3/2018: one local language, one local currency, a .lu or .fr domain, or a tracking pixel is enough to trigger territorial applicability. The most overlooked consequence is the obligation to appoint an EU representative under Article 27, whose absence is sanctioned as an autonomous breach.
The three GDPR entry doors to memorise
- Establishment criterion (Art. 3.1): a subsidiary, a representative office, or even a single stable sales agent in Luxembourg is enough, even if the actual processing happens in India or the US. The CJEU (Weltimmo, Google Spain) reads establishment very broadly, regardless of legal personality.
- Targeting criterion (Art. 3.2.a): offering goods or services to data subjects located in the EU. EDPB indicators include local language, local currency, EU delivery, EU client references, geo-targeted Google Ads, and mention of an EU VAT number.
- Monitoring criterion (Art. 3.2.b): behavioural tracking via cookies, fingerprinting, Meta pixels, Hotjar, programmatic retargeting, IP geolocation. A standard Google Analytics 4 deployment without EU signal opt-out triggers Article 3.
- Derived criterion: Article 27: every non-EU controller falling under Article 3.2 must appoint a written EU representative, save for narrow exceptions (occasional processing, no sensitive data, low risk). The representative must sit in a Member State where data subjects are located, and their identity must appear in the privacy notice.
The Luxembourg-specific pitfall
Holding companies, SOPARFIs, family offices and fintechs established in Luxembourg underestimate criterion 3.1: even if the actual processing is outsourced to an Indian or US provider, it is the activity of the Luxembourg establishment that triggers applicability. Conversely, non-EU SaaS vendors targeting Luxembourg clients (CSSF-regulated firms, regulated professions) often ignore that they fall under Article 3.2 from the very first prospected lead.
How Luxgap automates this risk
Our Luxgap Territorial Reach Scanner determines within 48h, with no questionnaire, whether your organisation is subject to GDPR under Article 3.1, 3.2.a or 3.2.b, and produces evidence opposable to the CNPD. The tool combines an AI agent that crawls your public websites and mobile apps, connectors for Google Analytics, Meta Business, HubSpot and Salesforce to map your marketing flows, and automated tax analysis of your Odoo, Sage BOB 50 or Cegid invoices to detect inbound and outbound EU flows.
- Automatically detects EU targeting signals across your digital properties: displayed languages, accepted currencies, national TLDs, legal notices, geographic shipping, geo-pricing.
- Classifies each flow against the EDPB 3/2018 grid and qualifies GDPR applicability per criterion (establishment, targeting, monitoring) with a reasoned confidence level.
- Identifies third-party pixels and trackers (Meta, TikTok, LinkedIn, Hotjar, Clarity) active on your public pages via a lightweight JS snippet and computes Article 3.2.b exposure in real time.
- Automatically generates a pre-filled Article 27 EU representative mandate, and identifies the Member States where appointment is legally required given your real audiences.
- Sends instant alerts via Teams or Slack when a new website, subdomain or marketing campaign pulls a non-EU entity of your group into the scope of Article 3.
- Produces a time-stamped, cryptographically sealed PDF report opposable to the CNPD or CNIL during an audit, demonstrating the reasoned determination of your territorial status.
Available as an add-on to a Luxgap DPO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our team will prepare a demonstration on your actual websites and marketing flows, with a free 48h scan to measure your territorial exposure before any engagement.
